From e4f44350bcd8a4be609926f15de5f7533bd80b66 Mon Sep 17 00:00:00 2001
From: Salvatore Dario Minonne <sminonne@redhat.com>
Date: Mon, 3 Jul 2023 18:03:52 +0200
Subject: [PATCH] demo version

Signed-off-by: Salvatore Dario Minonne <sminonne@redhat.com>
---
 README.md                                     | 11 +++++
 demo.sh                                       | 48 ++++++++-----------
 manifests/guestbook-certificate/Chart.yaml    |  5 --
 .../templates/certificate.yaml                | 31 ------------
 manifests/guestbook-ingress/Chart.yaml        |  5 --
 .../guestbook-ingress/templates/ingress.yaml  | 22 ---------
 mini-ca/README.md                             | 14 +++++-
 mini-ca/check-or-generate-intermediate.sh     |  8 ++--
 8 files changed, 48 insertions(+), 96 deletions(-)
 delete mode 100644 manifests/guestbook-certificate/Chart.yaml
 delete mode 100644 manifests/guestbook-certificate/templates/certificate.yaml
 delete mode 100644 manifests/guestbook-ingress/Chart.yaml
 delete mode 100644 manifests/guestbook-ingress/templates/ingress.yaml

diff --git a/README.md b/README.md
index c3016d1..5c2ea33 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,17 @@ One of the main goal of this repository is to show how we can add certificates r
 This is optional but in case cluster pods cannot see each other you may want to chec connectivity.
 ```shell
 $ export KUBECONFIG=$(mktemp)
+$ ./00-boostrap-minikube-infra.sh
+...
+
+$ ./192.168.50.161 cluster1
+192.168.39.24 mgmt
+192.168.39.24 my-git.io
+```
+
+Optionally you may want to check network connectivity between the clusters
+
+```shell
 $ ./01-check-minikube-infra-connectivity.sh
 ```
 
diff --git a/demo.sh b/demo.sh
index 30727af..3ea46ac 100755
--- a/demo.sh
+++ b/demo.sh
@@ -35,7 +35,7 @@ wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_cl
 ##########################################
 # Deploy cert-manager ca-issuer and certs
 ##########################################
-log::info "Let's create the secret needed for the CA-issuer"
+log::info "Let's create  ca-key-pair: secret needed for the CA-issuer"
 kubectl --context $(get_client_context_from_cluster_name ${MGMT}) -n cert-manager create secret tls ca-key-pair \
   --key="${ROOTDIR}/mini-ca/intermediate/private/argo_intermediate_private_key.pem" \
   --cert="${ROOTDIR}/mini-ca/intermediate/argo_intermediate_cert.pem"
@@ -52,12 +52,8 @@ pe "kubectl --context $(get_client_context_from_cluster_name ${MGMT}) get cluste
 # Install gitea on mgmt cluster aka my-git.io
 #############################################
 #from https://gitea.com/gitea/helm-chart/src/branch/main/values.yaml
-#username: gitea_admin
-#password: r8sA8CPHD9!bt6d
-#email: "gitea@local.domain"
-
-GITEAUSERNAME='gitea_admin'
-GITEAPASSWORD='r8sA8CPHD9!bt6d'
+GITEAUSERNAME='gitea_admin' #username: gitea_admin
+GITEAPASSWORD='r8sA8CPHD9!bt6d' #password: r8sA8CPHD9!bt6d
 GITEANS=gitea
 
 log::info "Creating a GIT server on ${MGMT} cluster using helm charts for GITEA see https://gitea.io/en-us"
@@ -141,23 +137,6 @@ spec:
       kind: '*'
 EOF
 
-
-#################
-# Deploy syncrets
-#################
-log::info "Deploying syncrets"
-#SYNCRETSDIR=$(mktemp -d /tmp/syncrets.XXXX)
-#git clone https://github.com/sdminonne/syncrets.git ${SYNCRETSDIR}
-SYNCRETSDIR=~/dev/sdminonne/syncrets/src/github.com/sdminonne/syncrets/
-pushd ${SYNCRETSDIR}
-make build
-make image
-make CLUSTER=${MGMT} push-image
-kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f ${SYNCRETSDIR}/deployment/syncrets.yaml
-popd
-wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_client_context_from_cluster_name ${MGMT})" 10 120
-
-
 log::info "creating clusteraddons GIT repo in https://my-git.io"
 curl  -u 'gitea_admin:r8sA8CPHD9!bt6d' \
     -X POST  "https://my-git.io/api/v1/user/repos" \
@@ -177,15 +156,15 @@ pe "git commit -s -a -m 'To add guestbook'"
 pe "git push origin HEAD"
 popd
 
+
 ###########################################################################
 # Adds repo to argocd to trust  https://my-git.io/gitea_admin/clusteraddons
 ###########################################################################
 pe "argocd repo add  --insecure-skip-server-verification https://my-git.io/gitea_admin/clusteraddons.git"
 
 
-
 ##################
-# Deploy guestbook 
+# Deploy guestbook
 ##################
 log::info "Deploying the guesbook-ingress to remote clusters"
 cat <<EOF |  kubectl --context $(get_client_context_from_cluster_name ${MGMT})  apply  -f -
@@ -273,4 +252,19 @@ spec:
 EOF
 done
 
-pe "argocd --core=true cluster list"
\ No newline at end of file
+pe "argocd --core=true cluster list"
+
+#######################################################################
+# Now deploy syncrets since it has to find the ingress (for the moment)
+#######################################################################
+log::info "Deploying syncrets"
+#SYNCRETSDIR=$(mktemp -d /tmp/syncrets.XXXX)
+#git clone https://github.com/sdminonne/syncrets.git ${SYNCRETSDIR}
+SYNCRETSDIR=~/dev/sdminonne/syncrets/src/github.com/sdminonne/syncrets/
+pushd ${SYNCRETSDIR}
+make build
+make image
+make CLUSTER=${MGMT} push-image
+kubectl --context $(get_client_context_from_cluster_name ${MGMT}) apply  -f ${SYNCRETSDIR}/deployment/syncrets.yaml
+popd
+wait_until "all_pods_in_namespace_for_context_are_running cert-manager  $(get_client_context_from_cluster_name ${MGMT})" 10 120
diff --git a/manifests/guestbook-certificate/Chart.yaml b/manifests/guestbook-certificate/Chart.yaml
deleted file mode 100644
index 834ec45..0000000
--- a/manifests/guestbook-certificate/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: certificate-request
-description: A Helm chart to deploy Guesbook Ingress to remote clusters
-version: 0.9.0
-appVersion: "1.0"
diff --git a/manifests/guestbook-certificate/templates/certificate.yaml b/manifests/guestbook-certificate/templates/certificate.yaml
deleted file mode 100644
index 6b00247..0000000
--- a/manifests/guestbook-certificate/templates/certificate.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ${mc}-cert
-  namespace: cert-manager
-spec:
-  secretName: {{ .Values.secret }}
-  duration: 2h
-  renewBefore: 1h
-  secretTemplate:
-    annotations:
-      syncrets-namespace: guestbook
-    labels:
-      cluster: {{ .Values.host }}
-  commonName: {{ .Values.host }}
-  subject:
-    organizations:
-      - argocd-fleet-manager
-    organizationalUnits:
-      - argo
-  privateKey:
-    algorithm: RSA
-    size: 2048
-  usages:
-    - server auth
-  dnsNames:
-    - {{ .Values.host }}
-  issuerRef:
-    name: ca-issuer
-    kind: ClusterIssuer
-    group: cert-manager.io
diff --git a/manifests/guestbook-ingress/Chart.yaml b/manifests/guestbook-ingress/Chart.yaml
deleted file mode 100644
index 166a09b..0000000
--- a/manifests/guestbook-ingress/Chart.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-apiVersion: v2
-name: guestbook-ingress
-description: A Helm chart to deploy Guesbook Ingress to remote clusters
-version: 0.9.0
-appVersion: "1.0"
diff --git a/manifests/guestbook-ingress/templates/ingress.yaml b/manifests/guestbook-ingress/templates/ingress.yaml
deleted file mode 100644
index c7a500a..0000000
--- a/manifests/guestbook-ingress/templates/ingress.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: guestbook-ingress
-spec:
-  rules:
-  - host: {{ .Values.host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: guestbook-ui
-            port:
-              number: 80
-        path: /
-        pathType: Exact
-  tls:
-  - hosts:
-    - {{ .Values.host }}
-    secretName: {{ .Values.secret }}
-status:
-  loadBalancer: {}
diff --git a/mini-ca/README.md b/mini-ca/README.md
index 41be382..9513886 100644
--- a/mini-ca/README.md
+++ b/mini-ca/README.md
@@ -9,11 +9,21 @@ $ ./check-or-generate-root.sh
 $ ./check-or-generate-intermediate.sh
 ```
 
+At the end of the run of these two scripts you hould have these files:
 
-Now let's add the intermediate cert as a trusted certificate authority.
+```shell
+.../mini-ca/root/argo_root_cert.pem
+.../mini-ca/intermediate/private/argo_intermediate_private_key.pem"
+.../mini-ca/intermediate/argo_intermediate_cert.pem
+```
+
+The first one `.../mini-ca/root/argo_root_cert.pem` is the Root CA that you've to add and trust to your local machine; instead `.../mini-ca/intermediate/argo_intermediate_cert.pem` and `.../mini-ca/intermediate/private/argo_intermediate_private_key.pem` are the intermediate CA to create the CA-issuer for cert-manager.
+
+
+Now let's add the root CA as a trusted certificate authority.
 
 ``` shell
-$ sudo cp root/argo_root_cert.pem /etc/pki/ca-trust/source/anchors/argo_root_cert.pem
+$ sudo cp ./mini-ca/root/argo_root_cert.pem /etc/pki/ca-trust/source/anchors/argo_root_cert.pem
 ```
 
 ```shell
diff --git a/mini-ca/check-or-generate-intermediate.sh b/mini-ca/check-or-generate-intermediate.sh
index 732c4d9..c5ece67 100755
--- a/mini-ca/check-or-generate-intermediate.sh
+++ b/mini-ca/check-or-generate-intermediate.sh
@@ -63,10 +63,10 @@ organizationalUnitName	= argo
 commonName              = Intermediate CA
 
 [policy_server_cert]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
+countryName             = match
+stateOrProvinceName     = match
+localityName            = match
+organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional